A Quick Primer for Financial Professionals
Data security is a major issue of concern in the financial services industry because it is associated with huge potential financial and reputational costs. Cybercrime targeting financial firms is on the rise.
Accordingly, attention to data security matters should involve not only members of information technology staff, but also risk management and compliance personnel, as well as the members of controller organizations and chief financial officers. Furthermore, financial management professionals in other industries need to be basically conversant with topics in data security, given the financial exposures.
The increasing frequency and cost of major data security breaches, which affect banks, investment firms, electronic payment processors, credit card networks, retail merchants and others, makes this an area whose importance is virtually impossible to underestimate these days.
Data Security Issues:
Data security for companies that accept payment via credit cards and debit cards involves taking a great deal of care regarding the choice of electronic payment processors. There are hundreds of companies in this line of business, but only a subset are rated PCI Compliant by the Payment Card Industry Security Standard Council. The major credit card issuers (Visa, MasterCard, etc.) typically attempt to steer companies towards using only PCI-compliant payment processors.
Data security regarding point of sale credit card and debit card processing, such as at cash registers, gas pumps and ATMs, is increasingly being compromised and complicated by schemes to steal card numbers and PINs. Many of these schemes utilize the secret placement of RFID chips (radio frequency identification chips) by data thieves at these terminals to "skim" such data. Security company ADT is a vendor that offers Anti-Skim software, which triggers alerts when data breaches of this sort are detected.
Additionally, a Qualified Security Assessor (QSA) can be engaged to conduct a survey of a company's susceptibility to these kinds of data security breaches.
Data security often depends on the physical security at data centers. This involves ensuring that unauthorized personnel are kept out. Additionally, authorized personnel cannot be allowed to remove servers, laptops, flash drives, disks, tapes, printouts, etc., containing sensitive information from company locations. Similarly, controls should be in place to guard against unauthorized personnel's viewing of sensitive information that is not needed in the discharge of their duties.
In addition to security protocols and procedures on your company's premises, the practices of outside vendors of data processing and transmission services must be scrutinized. For example, if a third party firm hosts your company's website, you must be concerned about its data security procedures. The SAS-70 certification is a common standard for adequate security procedures regarding internal networks, required by the Sarbanes-Oxley Act for publicly held information technology firms. Use of SSL protocols is the standard for handling sensitive data securely online, such as the input of credit card numbers in payment for transactions.
Network Security Best Practices:
Key aspects of network security that have an impact on data security are protections against hackers and the flooding of websites or networks. Both your in-house information technology group and your Internet service provider (ISP) must have appropriate countermeasures in place. This is also a matter of concern regarding web hosting and payment processing companies. All these outside vendors must demonstrate what protections they have.
Again, the best practices that characterize your own company's own data networks, data centers, and data management are the same ones that you should confirm are in place at all outside vendors of data processing, payments processing, networking and website hosting services. Before entering into any contract with a third party provider, you should ascertain that it has the appropriate minimum certifications from independent outside bodies (as outlined above) and conduct your own due diligence, led either by your company's own information technology personnel with the appropriate credentials or by qualified outside consultants.
As a final consideration, it is possible to purchase insurance against the costs associated with data security breaches. Such costs include the fines and penalties levied by credit card networks (such as Visa and MasterCard) for such failures, as well as the expenses that they impose on card issuers (mainly banks, credit unions and securities firms) for canceling credit and debit cards, issuing new ones and making card members whole due to breaches caused by your company, expenses that they thus will attempt to charge back to your company.
Such insurance sometimes can be offered by payment processing firms, as well as being available from insurance companies directly. The fine print on such policies can be detailed, so buying such insurance requires a great deal of care.
Principal source: "Dodging Data Breaches," Forbes, 7/18/2011.